Security Alert

Duo Mobile Launching App Update

Beginning this month, Duo will be rolling out an updated version of the Duo Mobile app! Once the app is updated, users will notice a new, clean design. Push notifications, passcodes and phone calls will continue to work as usual, the update is only a design change. Duo’s biggest change will be swapping the position of the green “Approve” and red “Deny” buttons.


duo mobile on iOS


What is changing?

  • The position of the Approve/Deny buttons will change so that Approve is on the right, a “thumb-friendly” location.
  • Duo is improving the accessibility of the app, including adding a landscape view, variable font sizes, and improved color contrast.
  • The new app provides clear guidance on restoring accounts if you get a new device.
  • Duo is making it easier to find and manage your accounts with a simpler interface.

What is not changing?

The core functionality of Duo Mobile is not changing. You will continue to be able to:

  • Receive a Duo Push.
  • Use passcodes, which don’t require an internet connection.
  • Add, edit, reorder, and remove accounts.
  • Backup and restore accounts.
  • Use dark mode.
  • And anything else you can do in the current version of the app.

When the redesigned Duo Mobile launches, will I need to do anything?

It depends. If you have enabled automatic app updates on your device, Duo Mobile will update automatically. You can also manually update Duo Mobile on your device.

Will I need to restore my accounts or settings once Duo Mobile is updated?

No. All of your protected accounts will be automatically present in Duo Mobile after the update. You do not need to re-add anything. In addition, all of your existing settings, such as settings for Duo Restore for third-party accounts such as Instagram or Facebook, will also carry over automatically.

Cybersecurity Town Hall Event

Join the OIT Security Team Wednesday, Oct. 20 at 2pm for a virtual Town Hall Meeting.

Ransomware is a term you’ve seen a lot in the news lately, but do you know how to protect yourself, your computer and your sensitive information from a ransomware attack? Join the OIT Security Team Wednesday, Oct. 20 at 2pm for a virtual Town Hall Meeting to ask questions of the team and learn how to be cyber secure.

UA CISO Ashley Ewing will provide a brief presentation on cybersecurity practices at UA and offer tips on how you can protect sensitive information. The team will then answer questions from the audience! Email meg@ua.edu to submit a question to the team in advance! More information about the event is available on the UA Events Calendar.

The Town Hall will be held on Microsoft Teams.

cybersecurity town hall

Update Apple Products and Google Chrome

Apple Updates

Apple has released security updates for a zero-day vulnerability that affects all iPhones, iPads, Macs and Apple Watches. Users are urged to update operating systems as soon as possible. More information about the vulnerability and update is available through various news sources, including Tech Crunch.

Google Chrome Updates

Additionally, Google Chrome has released updates to combat a vulnerability. Please update Google Chrome browsers as soon as possible. More information about the vulnerability and update is available through various news sources, including Forbes.

Cybersecurity Tip: Data Scraping

You may have seen the terms “data scraping” or “web scraping” in news stories lately, and asked yourself, “What is data scraping?” Look no further, the pros in OIT have got the answer.

What information can be scraped?

Websites can include a lot of important data – much of which is information that users provide. Think for a moment, what information have you made publicly available on the web? Perhaps within your Facebook or LinkedIn profile details you’ve shared your name, degrees, relationships, location and work history. How many of your account security questions can be answered by this information? For example: what was your first job, or what is your maternal grandfather’s name?

How does it work?

Malicious actors use web scraping tools to extract data from websites. Data scraping creates feeds of information for easy parsing and analysis. Content can be scraped from multiple websites (a phone number here/an email address there) to combine the information and establish an entire user profile.

Note – data scraping is not always used for malicious activities. Marketing companies, content creators and designers often use data scraping tools to research their customer base, find leads or personalize advertisements. Although not malicious, consider asking yourself – do I want companies to know this much information about me?

Limit sharing.

Here is a key tip to limiting what personal information about you can be scraped off of the web: limit what you put out there! If less of your personal information exists online, less information can be scraped and used – by marketing companies or by malicious actors.

Recently, scraped data from 500 million LinkedIn users was posted online. To be clear – LinkedIn did not experience a data breach, rather actors scraped publicly available content from the site, compiled it together then posted it online. The data included account usernames, full names, email addresses, phone numbers, workplace information, genders and links to other social media accounts.

Review your online profiles, and consider what you want malicious actors and marketers to know about you. Remember – information posted online can be made available to audiences beyond your “friends,” so be cautious what you share.

OIT Tax Tips

This year’s tax deadline has been extended, which means phishers and scammers have even more time than normal to trick individuals with tax scams. OIT has tips for UA students, faculty and staff to keep sensitive tax information safe this spring.

Beware of phone and email scams.

Do not be fooled by phone calls or emails that threaten to be the IRS demanding immediate payment. If you owe money to the IRS, you will receive a bill by mail, not a phone call or email.

Additionally, malicious actors may pose as the IRS and send messages with content such as “Where’s My Refund” or “Tax Refund Payment” attempting to lure in victims. These messages often include web links where they will ask the message recipient to submit sensitive information including a Social Security number, date of birth and prior year annual gross income. Be mindful of the red flags of phishing to easily spot phishing emails.

Store documents in a safe place.

You wouldn’t leave a paper copy of your W2 sitting on a public bench. The same rules apply to online storage! Tax documents should be stored on a secure hard drive or personal, encrypted cloud storage account.

Send documents in a secure manner.

Do not email sensitive documents as an attachment. To share files, OIT recommends storing them in a secure cloud storage account, and sharing access to that account with only individuals you trust. OIT also recommends that faculty and staff use a personal email account for tax purposes. The email account should be secured with a strong password and two-factor authentication. Gmail offers Google Two-Step as an easy way to better secure email accounts.

Select a secure accountant.

If you choose to use an accounting service or company to file your taxes for you, ensure they have a record of good cybersecurity practices. By employing a tax accountant, you are trusting them with your most sensitive data. It isn’t out of reason to ask what measures they take to ensure your data is safe.

Tax-related identity theft is the most common type of identity theft. To learn more tips about how to protect your tax information, visit the IRS website, Identity Theft Central.

Student Phishing Alert – March 3, 2021

Wednesday, March 3, many UA students received a phishing email that featured the subject title “P/A WORK APPLICATION”.

This email is a scam, not an actual work application. A screenshot of the phishing message is below.  If you received this message, please delete it. Take a moment to review the red flags of phishing to learn how to spot common phishing emails like these.

If you have any questions or concerns, contact OIT Security at 205-348-5555 or itsd@ua.edu.

student phishing email

LifeLock with Norton – Personal Machines Only

As a part of the benefits package offered to faculty and staff, The University of Alabama offers identity theft protection from LifeLock with Norton.

This service provides enrollees with identity protection and credit monitoring as well as Norton 360 antivirus software. Enrollees are permitted to use the Norton 360 antivirus software on personal machines only. University machines are protected with McAfee antivirus software which will not work effectively alongside Norton antivirus software.

If you have installed Norton 360 on a University machine please work with IT support in your area to remove the software. Additionally, Norton 360 customers may contact member services at 800-607-9174 for assistance removing the software. Dedicated Norton agents are available 8am-6pm CST for assistance.

Student Phishing Alert – Dec. 1

Tuesday, Dec. 1, more than 600 UA students received a phishing email that featured the subject title “FIXED TERM (PART-TIME JOB)”.

This email is a scam, attempting to trick students into providing information for a fake job opportunity. A screenshot of the phishing message is below. If you received this message, please delete it. Take a moment to review the red flags of phishing to learn how to spot common phishing emails like these.

If you have any questions or concerns, contact OIT Security at 205-348-5555 or itsd@ua.edu.

student phishing